Binary
DLL False
Size 1.69MB
trid 50.4% Win64 Executable
18.2% DOS Borland compiled Executable 12.0% Win32 Dynamic Link Library 8.2% Win32 Executable
3.7% OS/2 Executable
type PE
wordsize 64
Subsystem Windows CLI
Hashes
md5 f01d48691148f929cdf7c4c75a1f14d5
sha1 f7db9e8fbedaaf4889c5bca43e577d4a84a836ef
crc32 0x69fd6ebe
sha224 db3e4f9ef1057cca43d042410383218fbfcf8cf88b131ea4f21cd6fd
sha256 de163e52c13ba690d4b814166acd40a375f98c1864ae088bf7cb67410448c 311
sha384 ee4dc9ea94327c8c5c75e1bebc7657b12f5faba0dbf5b0fd287d26f29b3019e 859f0e01f02953a70596b64ada4233f71
sha512 8e76f2d32562e4d6bf188f30c382f3ae490dd4d59c4b1e742fd20ab03ceb04 d102543186c67e49cfbfc0f85e3fed651408503b12a92cbf3989740dbedfcd1 c82
ssdeep 24576:e1DYoP1JgW1tQ2IXUFTBVx2S8lsdu1Hy+mWdyYoltCCiTzXzDhFpaTczx QpJ0cCP:2kUQIF2AaHTjzDhFsFETwD3OZeX
Report #12003
Creation Date: Sept. 23, 2020, 6:22 a.m.
Last Update: Sept. 23, 2020, 6:55 a.m.
File:
evader.exe Results:
Community
Google False
HashLib False
YARA
Matches domain, Borland, IP, HasDebugData, CRC32_poly_Constant, BASE64_table, HasRichSignature, Delphi_FormShow, CRC32_table, network_dns, win_files_
operation, IsPacked, Microsoft_Visual_Cpp_80_DLL, contentis_base64, netw ork_tcp_socket, screenshot, win_hook, win_mutex, keylogger, Delphi_Rando m, network_udp_sock, Delphi_Copy, anti_dbg, network_tcp_listen, url, win_r egistry, IsPE64, IsConsole, Delphi_StrToInt
Suspicious True
Strings
List
<options>http://update.bruss.org.ru/l4d2/options.xml</options>
EmbeddedWB http://bsalsa.com/
<patchlist>http://update.bruss.org.ru/l4d2/patchlist.xml</patchlist>
<updater>http://update.bruss.org.ru/l4d2/L4d2_Updater.exe</updater>
http://www.lameguard.com
c:\Users\Win\Documents\Visual Studio 2012\Projects\Dropper\x64\Release\Dropper.pdb t.Ht
GlassFrame.Top 1F.ES
Font.Style Font.Name Font.Style Font.Name Font.Style Font.Name n.ET
dd.mm.yyyy I.bI
W.MC Uh.MG
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchit ecture="*" language="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>
24.BM 127.0.0.1 127.0.0.1 127.0.0.1 g.aw
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
\ieframe.dll
%s.Seek not implemented
27.in[G ZK.PA
Error loading Socket interface (ws2_32.dll)!
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform hhctrl.ocx
Software\L2j Community Network\LameUpdater\
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent patchlist.xml
SOFTWARE\Borland\Delphi\RTL Delphi%.8X
Software\Borland\Locales COMCTL32.dll
Software\Borland\Delphi\Locales
\shdocvw.dll MSVCR110.dll
<program>tool.exe</program>
ws2_32.dll ws2_32.dll olepro32.dll comctl32.dll comctl32.dll comctl32.dll comctl32.dll comctl32.dll wship6.dll version.dll WINMM.dll UxTheme.dll wininet.dll uxtheme.dll 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.1 0.0.0.0 0.0.0.0
Software\Microsoft\Internet Explorer\PageSetup Synapse TCP/IP Socket error %d: %s
proc.exe proc.exe
Already installed.
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes Network is down
.new.exe Username No route to host Host is down 255.255.255.255 Downloading %s
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
"s2RW P,@@iR tm,E
FastMM4.pas MUST be the first unit in your project's .dpr file, otherwise memory may be allocated Le*cB
ONF,E
PROXY-CONNECTION:
ControlOfs%.8X%.8X WndProcPtr%.8X%.8X
SSL/TLS support is not compiled!
%g']4h]SbC
#KsWSf^:6<%a Rd8h
A_%2tF file:///
%f^Lg@s"
Socket is not connected Host not found
Foremost
Matches 24.exe, 1 MB, 2149.png, 589 KB, 3328.png, 14 KB, 3358.png, 15 KB, 3389.
png, 3 KB, 3397.png, 3 KB, 3404.png, 22 KB
Suspicious True
Heuristics
IPs hasIPs: True
Allowed: 255.255.255.255, 1, record, 127.0.0.1, 1, localhost.
Suspicious: 0.0.0.1, 0, Unknown hasAllowed: True
hasSuspicious: True
URLs Allowed
hasURLs: True
Suspicious: http://bsalsa.com/, file://, http://, file:///, http://update.bruss.or g.ru/l4d2/patchlist.xmlhasAllowed: False
hasSuspicious: True
Files Allowed: ADVAPI32.dll, SHLWAPI.dll, URLMON.DLL, RPCRT4.dll, OLEAUT32.d ll, MAPI32.DLL, wininet.dll, UxTheme.dll, \shdocvw.dll, SHELL32.dll, MSVCR1 10.dll, PSAPI.dll, COMCTL32.dll, ole32.dll, imm32.dll, olepro32.dll, USER32.
DLL, gdi32.dll, DWMAPI.DLL, KERNEL32.dll, \ieframe.dll, WINMM.dll, SHDOC LC.DLL, wship6.dll, version.dll, ws2_32.dll
hasFiles: True
Suspicious: patchlist.xml, hhctrl.ocx hasAllowed: True
hasSuspicious: True
Binary
Sizes RVA
RVA: 16
Suspicious: False Code
Size: 1765376
Suspicious: False Image
Address: 5368709120 Suspicious: False Stack
Stack: 4096 Suspicious: False Headers
Headers: 1024 Suspicious: False Suspicious: False
Symbols Number
Number: 0
Suspicious: True Pointer
Pointer: 0
Suspicious: True Directories Number: 16 Suspicious: False
Checksum Value: 0
Suspicous: True
Sections Allowed: .text, .rdata, .data, .pdata, .rsrc, .reloc Suspicious
hasAllowed: True hasSections: True hasSuspicious: False
Versions OS
Version: 6
Suspicious: False Image
Version: True Suspicious: 6 Linker
Version: 11.0 Suspicious: False Subsystem
Version: 6.0 Suspicious: False Suspicious: False
EntryPoint Address: 6772
Suspicious: False
Anomalies Anomalies: The header checksum and the calculated checksum do not ma tch.
hasAnomalies: True
Libraries Allowed: advapi32.dll, shlwapi.dll, urlmon.dll, rpcrt4.dll, oleaut32.dll, mapi 32.dll, wininet.dll, uxtheme.dll, shell32.dll, psapi.dll, comctl32.dll, ole32.dll, imm32.dll, olepro32.dll, user32.dll, gdi32.dll, dwmapi.dll, kernel32.dll, winm m.dll, wship6.dll, version.dll, ws2_32.dll
hasLibs: True
Suspicious: \shdocvw.dll, msvcr110.dll, \ieframe.dll, shdoclc.dll hasAllowed: True
hasSuspicious: True
Timestamp Past: False
Valid: True
Value: 2020-09-23 06:22:04 Future: False
Compilation Packed: False
Missing: False Packers
Compiled: True
Compilers: Microsoft Visual C++ 8.0 (DLL)
Obfuscation XOR: False
Fuzzing: False
PEDetector
Matches 12448
Suspicious True
Disassembly
hasTricks False
Tricks
AVclass
mikey 1
VirusTotal
md5 f01d48691148f929cdf7c4c75a1f14d5
sha1 f7db9e8fbedaaf4889c5bca43e577d4a84a836ef
SCANS (DETECTION RATE = 36.62%)
AVG result: Win64:BankerX-gen [Trj]
update: 20200923 version: 18.4.3895.0 detected: True
CMC update: 20200923
version: 2.7.2019.1 detected: False
MAX result: malware (ai score=82)
update: 20200923 version: 2019.9.16.1 detected: True
APEX result: Malicious
update: 20200922 version: 6.73 detected: True
Bkav update: 20200923
version: 1.3.0.9899 detected: False
K7GW update: 20200923
version: 11.141.35295 detected: False
ALYac result: Gen:Variant.Johnnie.276394
update: 20200923 version: 1.1.1.5 detected: True
Avast result: Win64:BankerX-gen [Trj]
update: 20200923 version: 18.4.3895.0 detected: True
Avira update: 20200923
version: 8.3.3.8 detected: False
Baidu update: 20190318
version: 1.0.0.2 detected: False
Cynet update: 20200917
version: 4.0.0.24 detected: False
Cyren update: 20200923
version: 6.3.0.2 detected: False
DrWeb result: Trojan.Encoder.30162
update: 20200923 version: 7.0.49.9080 detected: True
GData result: Gen:Variant.Mikey.115311
update: 20200923
version: A:25.27114B:27.20268 detected: True
Panda update: 20200922
version: 4.6.4.2 detected: False
VBA32 update: 20200923
version: 4.4.1 detected: False
VIPRE update: 20200923
version: 86900 detected: False
Zoner update: 20200920
version: 0.0.0.0 detected: False
ClamAV update: 20200922
version: 0.102.3.0 detected: False
Comodo update: 20200923
version: 32836 detected: False
Ikarus result: Trojan.Win32.Injector
update: 20200923 version: 0.1.5.2 detected: True
McAfee update: 20200922 version: 6.0.6.653 detected: False
Rising result: Backdoor.Remcos!8.B89E (TFE:5:IBRWLZzTx1N) update: 20200923
version: 25.0.0.26 detected: True
Sophos update: 20200923
version: 4.98.0 detected: False
Yandex update: 20200911
version: 5.5.2.24 detected: False
Zillya update: 20200923
version: 2.0.0.4180 detected: False
Acronis update: 20200917
version: 1.1.1.78 detected: False
Alibaba update: 20190527
version: 0.3.0.5 detected: False
Arcabit result: Trojan.Mikey.D1C26F
update: 20200923 version: 1.0.0.881 detected: True
Cylance update: 20200923
version: 2.3.1.101 detected: False
Elastic result: malicious (high confidence) update: 20200917
version: 4.0.9 detected: True
FireEye result: Generic.mg.f01d48691148f929
update: 20200923 version: 32.36.1.0 detected: True
Sangfor update: 20200814 version: 1.0 detected: False
TACHYON update: 20200923
version: 2020-09-23.02 detected: False
Tencent update: 20200923
version: 1.0.0.1 detected: False
ViRobot update: 20200923
version: 2014.3.20.0 detected: False
Webroot update: 20200923
version: 1.0.0.403 detected: False
eGambit update: 20200923
detected: False
Ad-Aware result: Gen:Variant.Mikey.115311 update: 20200923
version: 3.0.16.117 detected: True
AegisLab update: 20200923
version: 4.2 detected: False
Emsisoft result: Gen:Variant.Mikey.115311 (B) update: 20200923
version: 2018.12.0.1641 detected: True
F-Secure update: 20200923
version: 12.0.86.52 detected: False
Fortinet result: W64/Kryptik.ERUI!tr
update: 20200923 version: 6.2.142.0
detected: True
Invincea result: Generic ML PUA (PUA)
update: 20200923 version: 1.0.1.0 detected: True
Jiangmin result: Trojan.MSIL.qkml
update: 20200923 version: 16.0.100 detected: True
Kingsoft update: 20200923
version: 2013.8.14.323 detected: False
Paloalto update: 20200923
version: 1.0 detected: False
Symantec update: 20200923
version: 1.12.0.0 detected: False
AhnLab-V3 result: Trojan/Win32.AgentTesla.R350864 update: 20200923
version: 3.18.1.10026 detected: True
Antiy-AVL result: Trojan/Win64.GenKryptik update: 20200923
version: 3.0.0.1 detected: True
Kaspersky update: 20200923
version: 15.0.1.13 detected: False
MaxSecure result: Trojan.Malware.300983.susgen update: 20200922
version: 1.0.0.1 detected: True
Microsoft result: Trojan:Win32/Wacatac.C!ml update: 20200923
version: 1.1.17400.5 detected: True
Qihoo-360 update: 20200923 version: 1.0.0.1120 detected: False
ZoneAlarm update: 20200923
version: 1.0 detected: False
Cybereason result: malicious.fbedaa
update: 20190616 version: 1.2.449 detected: True
ESET-NOD32 result: a variant of Win64/Kryptik.CAA update: 20200923
version: 22036 detected: True
TrendMicro update: 20200923
version: 11.0.0.1006 detected: False
BitDefender result: Gen:Variant.Mikey.115311 update: 20200923
version: 7.2 detected: True
CrowdStrike update: 20190702
version: 1.0 detected: False
K7AntiVirus update: 20200923
version: 11.141.35295 detected: False
SentinelOne update: 20200724
version: 4.4.0.0 detected: False
Malwarebytes result: Trojan.MalPack update: 20200923 version: 3.6.4.335 detected: True
TotalDefense update: 20200923 version: 37.1.62.1 detected: False
CAT-QuickHeal update: 20200923
version: 14.00 detected: False
NANO-Antivirus update: 20200923
version: 1.0.134.25140 detected: False
BitDefenderTheta update: 20200918 version: 7.2.37796.0 detected: False
MicroWorld-eScan result: Gen:Variant.Mikey.115311 update: 20200923
version: 14.0.409.0 detected: True
SUPERAntiSpyware update: 20200918 version: 5.6.0.1032 detected: False
McAfee-GW-Edition update: 20200923 version: v2019.1.2+3728 detected: False
TrendMicro-HouseCall update: 20200923 version: 10.0.0.1040 detected: False
total 71
sha256 de163e52c13ba690d4b814166acd40a375f98c1864ae088bf7cb67410448c 311
scan_id de163e52c13ba690d4b814166acd40a375f98c1864ae088bf7cb67410448c 311-1600853087
resource f01d48691148f929cdf7c4c75a1f14d5
permalink https://www.virustotal.com/gui/file/de163e52c13ba690d4b814166acd40a3 75f98c1864ae088bf7cb67410448c311/detection/f-de163e52c13ba690d4b8 14166acd40a375f98c1864ae088bf7cb67410448c311-1600853087
positives 26
scan_date 2020-09-23 09:24:47
verbose_msg Scan finished, information embedded
response_code 1
Results
BINARY
NFS 2.0 (Threshold = 0.8) confidence: 87.50%
suspicious: False
Decision Tree (NFS-BRMalware) confidence: 100.00%
suspicious: True
MalConv (Ember: Raw Bytes, Threshold=0.5) confidence: 88.37%
suspicious: False
Random Forest (100 estimators, NFS-BRMalware) confidence: 64.00%
suspicious: False
Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35) confidence: 41.19%
suspicious: True
LightGDM (Ember: File Characteristics, Threshold=0.8336) confidence: 27.91%
suspicious: False
